McAfee Says Cyber-attack Details Point to IE Security Vulnerability

Updated: Security vendor McAfee is reporting that the cyber-attack that hit more than 30 businesses, including Google and Adobe Systems, involved the use of a zero-day exploit targeting Internet Explorer.

The more details that leak out about the cyber-attack
that hit Google, Adobe Systems and roughly 30 other companies, the more
complex the picture gets.
According
to a Jan. 14 analysis by McAfee, which has dubbed the situation "Operation
Aurora," one of the malware samples involved in the attack exploited a new
zero-day vulnerability in Microsoft Internet Explorer. McAfee revealed little
about the flaw, stating only that its investigation showed IE is vulnerable on
all of Microsoft's operating systems, including Windows 7.

"Once
the malware is downloaded and installed, it opens a back door that allows the
attacker to perform reconnaissance and gain complete control over the
compromised system," said
McAfee CTO George Kurtz. "The attacker can now identify high-value
targets and start to siphon off valuable data from the company."

Microsoft
released some additional details about the vulnerability, which the company
said is an invalid pointer reference within IE. According to Microsoft, the
vulnerability affects IE versions 6, 7 and 8. The attacks the company has seen
are reported to be targeting IE 6.
Talk
of an IE vulnerability follows reports from other vendors that the attackers launched
a spear-phishing campaign using Adobe Reader attachments. McAfee said it has
not uncovered any evidence that a Reader vulnerability was exploited in the
attacks.
However,
according to VeriSign's iDefense Labs, malicious PDFs were involved,
and Google followed the attack code back to the drop servers and
determined that the attack hit an additional 33 companies.

"According
to sources familiar with the present attack, attackers delivered malicious code
used against Google and others using PDFs as e-mail attachments; those same
sources also claim that the files have similar characteristics to those
distributed during the July attacks," iDefense said in a Jan. 12 report.
"In both attacks, the malicious files drop a backdoor Trojan in the form
of a Windows DLL."
iDefense
also noted similarities to a July 2009 attack in which hackers launched
targeted e-mail campaigns against 100 IT-focused companies via a zero-day
vulnerability in Reader.
"The
code samples obtained by iDefense from the July attack and the present attack
are different, but they contact two similar hosts for command-and-control
communication," the iDefense report continued. "The servers used in
both attacks employ the HomeLinux DynamicDNS provider, and both are currently
pointing to IP addresses owned by Linode, a U.S.-based company that offers
Virtual Private Server hosting. The IP addresses in question are within the
same subnet, and they are six IP addresses apart from each other.
"Considering
this proximity, it is possible that the two attacks are one and the same, and
that the organizations targeted in the Silicon Valley
attacks have been compromised since July," the report concluded.